ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations

Please review all of the information in this post specific to your systems for any antivirus scan issues and workarounds.

Important: Some of the steps defined herein may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process below in order to enable programs to operate as they are designed or to implement specific program capabilities. Before you make these changes, it is your responsibility to evaluate the risks that are associated with implementing this process and to test in your specific environment. If you choose to implement this process, take any appropriate additional steps to protect your system. It is recommended that you follow this process only if it is absolutely required for your environment.

System Center Configuration Manager 2007:

If you have Microsoft System Center Configuration Manager 2007 (ConfigMgr 2007) installed and are running into the specific issues defined in the Knowledge Base articles below, you should consider excluding the folders/files defined in each:

KB900638 – Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

KB327453 – Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003

KB922358 – Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates cannot run when a McAfee antivirus program is installed on the same computer

KB924148 – A Systems Management Server (SMS) 2003 client computer stops responding when you try to perform a software update scan of the Inventory Tool for Microsoft Updates (ITMU) on a computer that is running SMS 2003

KB824722 – "Cannot Open the File to Verify the Signature" Appears in Despool.log

The SMS_Executive service may stop responding to some threads. These include the following threads:

• SMS_Discovery_Data_Manager

• SMS_Status_Manager

• SMS_Replication_Manager

• SMS_Despooler

• SMS_Data_Loader

• SMS_Collection_Evaluator

If you experience the behavior described above or in this article (KB327453), use one or more of the following methods to reduce the file backlog:

• Exclude the <DriveLetter>:\<ConfigMgr install folder>\Inboxes\SMS_Executive Thread Name directory or the SMS_CCM\ServiceData directory from the virus-scanning process

• Make sure that the antivirus software is not configure for Real-Time monitoring.

• Remove the antivirus software, and then restart the server so that any remaining traces re unloaded and removed from memory.

Note: If you exclude the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory, therefore use these options only as a short-term troubleshooting step and not as a solution for this behavior.

Review the issue described in KB922358 where the antivirus program is configured to scan the %Windir%\SoftwareDistribution folder on the computer on which the ITMU scan is run. In this case, when the antivirus program scans the .edb file the antivirus program locks the file. The result is that ITMU cannot access the .edb file. To workaround this issue please make sure that the antivirus program does not scan the files in the %windir%\SoftwareDistribution folder on any computer on which the Windows Update Agent is installed.

It is recommended from a performance point of view that antivirus scanning be disabled on certain key non-executable items. As these items are non-executable they provide minimal risk on a server, where the number of non-trusted application should be negligible and the opening of files by user applications is also minimal. The key items include:

– ConfigMgr 2007 database data and log files (server-side)

– ConfigMgr 2007 log files (server-side)

– ConfigMgr 2007 transactional files (server-side)

– Windows Update Scan Catalog (client-side)

The following is a listing of the details of the above types of key items:

Join the conversation

The bad: leaving Despite dramatic improvements in performance over the past two years, is still Norton no marks on the CPU, and the new results show the effectiveness, if it remains among the top five in the detection of malware still doesn't have the highest detection rate